Forum
Regex & negative look-arounds
Jarsa
22 July 2011, 23:46
Hi!
I've been testing Hiawatha and everything is working just fine, virtual hosts etc. Even installed banshee for testing. But... I'm trying to get zencart and zenmagick ecommerce packages working with hiawatha and got problems with .htaccess files. Typical zencart file is like this:
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
# deny *everything*
<FilesMatch ".*">
Order Allow,Deny
Deny from all
</FilesMatch>
# but now allow just *certain* necessary files:
<FilesMatch ".*\.(js|JS|css|CSS|jpg|JPG|gif|GIF|png|PNG|swf|SWF|xsl|XSL)$">
Order Allow,Deny
Allow from all
</FilesMatch>
IndexIgnore */*
## NOTE: If you want even greater security to prevent hackers from running scripts in this folder, uncomment the following line (if your hosting company will allow you to use OPTIONS):
# OPTIONS -Indexes -ExecCGI
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
I've tried to use look-arounds like this.
Match ^/includes/.+\.^(?!.*\b(js|JS|css|CSS|jpg|JPG|gif|GIF|png|PNG|swf|SWF|xsl|XSL)\b).*$ DenyAccess
My idea is that if file does not end with listed ending -> Access is denied. Problem is that I can not test rules, because Hiawatha gives error when hiawatha.conf is reloaded. Is there support for regex lookarounds or am I missing something? It's been a while since I've done anything with regexes so its propably me missing something important
I've been reading manuals and how-to's so much now, that little advice would be nice.
Hiawatha version: 7.5
Operating System: Ubuntu 10.04
I've been testing Hiawatha and everything is working just fine, virtual hosts etc. Even installed banshee for testing. But... I'm trying to get zencart and zenmagick ecommerce packages working with hiawatha and got problems with .htaccess files. Typical zencart file is like this:
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
# deny *everything*
<FilesMatch ".*">
Order Allow,Deny
Deny from all
</FilesMatch>
# but now allow just *certain* necessary files:
<FilesMatch ".*\.(js|JS|css|CSS|jpg|JPG|gif|GIF|png|PNG|swf|SWF|xsl|XSL)$">
Order Allow,Deny
Allow from all
</FilesMatch>
IndexIgnore */*
## NOTE: If you want even greater security to prevent hackers from running scripts in this folder, uncomment the following line (if your hosting company will allow you to use OPTIONS):
# OPTIONS -Indexes -ExecCGI
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
I've tried to use look-arounds like this.
Match ^/includes/.+\.^(?!.*\b(js|JS|css|CSS|jpg|JPG|gif|GIF|png|PNG|swf|SWF|xsl|XSL)\b).*$ DenyAccess
My idea is that if file does not end with listed ending -> Access is denied. Problem is that I can not test rules, because Hiawatha gives error when hiawatha.conf is reloaded. Is there support for regex lookarounds or am I missing something? It's been a while since I've done anything with regexes so its propably me missing something important
I've been reading manuals and how-to's so much now, that little advice would be nice.Hiawatha version: 7.5
Operating System: Ubuntu 10.04
Hugo Leisink
26 July 2011, 00:18
The Hiawatha version of the FilesMatch is this:
Rules can be tested via the wigwam utility that comes with Hiawatha.
UrlToolkit {
Match .*\.(js|JS|css|CSS|jpg|JPG|gif|GIF|png|PNG|swf|SWF|xsl|XSL)$ Return
Match .* DenyAccess
}
Rules can be tested via the wigwam utility that comes with Hiawatha.
Jarsa
29 July 2011, 17:44
Thanks! This set seems to work ok, but needs more testing to be sure.
UrlToolkit {
ToolkitID = zencart
Match ^/docs/.*\.(js|css|jpg|gif|png|html)$ Return
Match ^/download/.*\.(zip|ZIP|gzip|pdf|PDF|mp3|MP3|swf|SWF|wma|WMA)$ Return
Match ^/editors/.*\.(js|css|jpg|gif|png|html)$ Return
Match ^/email/.*\.(jpe?g|JPE?G|gif|GIF|png|PNG)$ Return
Match ^/extras/.*\.(php|html)$ Return
Match ^/images/.*\.(jpe?g|JPE?G|gif|GIF|png|PNG|swf|SWF)$ Return
Match ^/includes/.*\.(js|JS|css|CSS|jpg|JPG|gif|GIF|png|PNG|swf|SWF|xsl|XSL)$ Return
Match ^/media/.*\.(mp3|mp4|swf|avi|mpg)$ Return
Match ^/pub/.*\.(zip|ZIP|gzip|pdf|PDF|mp3|MP3|swf|SWF)$ Return
Match ^/zc_install/(favicon.ico|.*\.(php|js|css|jpg|gif|png|html)$) Return
Match ^/zc_install$ Rewrite /zc_install/index.php
# change following admins to "your-admin". ZenCart forces to use new admin name.
Match ^/admin/includes/.*\.(js|css|jpg|JPG|gif|GIF|png|PNG)$ Return
Match ^/admin/(favicon.ico|.*\.(php|js|css|jpg|gif|png)$) Return
Match ^/admin(/.*\.php\?)(.*) Rewrite /admin$1$2
Match ^/admin$ Rewrite /admin/index.php
Match ^/.*/.* DenyAccess
}
Jarsa
29 July 2011, 17:45
Hiawatha does not "see" .hidden_files? Zencart uses hidden directory when product is downloadable and because of that hiawatha can' t find that product. I've noticed you're very strict with server standards (which I know know nothing about). If you think zencart is wrong here could you give any link to helping guidelines. Zencart 2.0 is coming and I would like to see it being server independent as current one has been designed to work with apache2. There is already people with nginx etc. servers having these kind of problems so it would be good time to check those standards, report bugs and make feature wishes.
One more question. Nice clean url's. If it is possible with Hiawatha, how can it be done? If I want to clean url like this:
/index.php?main_page=product_info&cPath=7_12&products_id=12
to something like this (just want to clean away the index.php part):
/main_page=product_info&cPath=7_12&producs_id=12
I will check zenmagick rules also and post them here.
Hugo Leisink
29 July 2011, 19:27
Files that start with a dot are often configuration files. To prevent leakage of sensitive information, Hiawatha ignores those files and pretends they don't exist.
I indeed think that Zencart made a wrong decision by using directories that start with a dot.
I indeed think that Zencart made a wrong decision by using directories that start with a dot.
Jarsa
9 August 2011, 14:25
I did some weekend testing with zenmagick and hiawatha. Getting little annoyed with .htaccess files.
Zenmagick runs on top of zencart so it needs zencarts rules + its own rules.
Zenmagick runs on top of zencart so it needs zencarts rules + its own rules.
Jarsa
9 August 2011, 14:38
Sorry about that message. Tried to post question with some .htaccess stuff but got "Message seen as spam". Accidentally left those couple of lines and pressed response instead of back. Well now it is real spam.
It is great it is not needed to log in to write these messages, but "Message seen as spam" is not so funny either. Could there be both choices. Log in and messages can be freely written and if not logged then spamming is checked.
It is great it is not needed to log in to write these messages, but "Message seen as spam" is not so funny either. Could there be both choices. Log in and messages can be freely written and if not logged then spamming is checked.
Hugo Leisink
9 August 2011, 21:36
Registering first is not really an option for me. If users can register themselves, soon I have my forum filled with registered spammers. If I have to accept a registration first, how can I distinguish the real ones from the fake ones?
Sorry, I'm sticking with what I have. And sorry if some of those messages are falsly not accepted.
Sorry, I'm sticking with what I have. And sorry if some of those messages are falsly not accepted.
This topic has been closed.
Copyright © by Hugo Leisink. All rights reserved.
Built upon the Banshee PHP framework.
Built upon the Banshee PHP framework.
